Wednesday, 17 July 2019

Error - QuarantinedAttributeValueMustBeUnique

Case History.

1. Client already had users created in office 365
2. Client wanted to setup SSO for office 365 users

Approach for requirement fullfilment  

1. Deployed and configured Azure AD connect 
    95% users were synced and soft match was successfully done 

5% users were getting error - QuarantinedAttributeValueMustBeUnique 

When we checked 2 users were found under Active users 
1. one in Cloud (this was created earlier/ already existed ) with active licenses and Mailbox
2. one unlicensed synced with AD
Solution -


but 

If we delete the user in Azure we will loose the Email Data and if we delete the user in AD we will lose the profile on system.

However considering the above condition and in order to retain data and Profile too we had resolved using another work around.

  1. Created a OU in AD “Non o365 sync”
  2. Edited the Azure AD connect and stopped the above mentioned OU from syncing with Azure
  3. Moved the users to this OU
  4. This deleted the users in office 365, that were unlicensed and syncing with AD
  5. Deleted the user from Office 365 recycle bin
  6. Edited the Users UPN In AD and moved back to “Users” OU
  7. Synced the users in office 365 identities mapped

Wednesday, 10 July 2019

Error - AttributeValueMustBeUnique in Azure AD connect sync



My customer had already created accounts in office 365 and managing them in Azure, however due to some changes in business they wanted to sync AD with Azure to sync Password and Manage Identity form AD.


Solution - Deploy Azure AD connect on ADDC, and post that it will do a Soft Match.


However there were error with some users, their identities did not sync and their status still reflected as Azure AD.


Error - 


Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:user@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.


Tracking Id: b8367c95-ae67-46e1-xxxx-xxxxxxxxxx

ExtraErrorDetails:
[{"Key":"ObjectId","Value":["cd088468-bb6a-40f9-xxxx-xxxxxxxxxx"]},{"Key":"ObjectIdInConflict","Value":["d7e8405c-54d5-41c6-xxxx-xxxxxxxxxxx"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:user@domain.com"]}]


I tried to do a Hard match following the article - https://blogs.technet.microsoft.com/praveenkumar/2014/04/11/how-to-do-hard-match-in-dirsync/ 


This did not helped 


From the Azure AD connect health wizard took Object ID of On-Prim AD  and tried to Map it against the Azure user 


Set-MsolUser -UserPrincipalName user@domain.com -objectId "1xxxxxxxxxxxxxxxxx=="


Ran the Azure AD connect sync - Did not helped



From the same place (AAD connect health page took Source Anchor
of AD object and Tried to map it 

Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId "1xxxxxxxxxxxxxxxxx=="


This time it was successful 


Thursday, 18 January 2018

Analyze Office 365 Message headers

How to get the message headers?

From outlook.

i. Double click on the mail “This will open the mail in new window”

ii. Go to File option in the tool bar.

iii. File > Info > Properties

In the new pop up window copy all the contents available under “Internet Header” option.



From OWA

a. Open the mail

b. Click on dropdown option available under “reply all” option

c. Under the dropdown options select “Message Properties”.




·         Summary will give the overview of the mail like
o   Subject
o   From , To , …etc
·         Received header will give the over view of how the mail traveled.



****The Above Picture represents a Sample for demonstration only.

FT - Frontend Transport
MB – Mailbox server
CA – CAS mailbox
EOP – Exchange Online Protection
HT – Quarantine

 
·         Forefront Antispam Report Header – This section represents
o   Country of mail origin
o   Spam confidence level
o   Connecting IP – senders Public facing server IP details, used to communicate with our mail server.
o   Spam Filtering Verdict

·         Microsoft Antispam Header - This section represents.
o   Bulk confidence level
o   Phishing confidence level

·         Other Headers – This will give you the all details of the message.

we need to check “X-Forefront-Antispam-Report” and “X-Microsoft-Antispam” under this section to understand why the mail was marked as spam or not marked as spam.

X-Forefront-Antispam-Report – This section helps us to understand why our mail was classified/marked as spam or Not a Spam.

We have to check these values under this section.

CIP
IPV
EFV
SFV

Please refer to this link for the details of the values specifies for SFV and SCL.

X-Microsoft-Antispam –  This will help us to identify if the mail was sent to bulk users and it is a Phishing mail.


We get the following information under this option

BCL
PCL

Please refer to this link for the details of the values specifies for SFV and SCL.




Friday, 3 February 2017

Powershell For o365.

Powershell For o365.

http://m.virtualizationadmin.com/articles-tutorials/application-virtualization-articles/deep-dive-office-365-powershell-cmdlets-part-8.html

Saturday, 31 December 2016

Restore data for a deleted office 365 user


We need to create a New user and assign it a Exchange online licenses and let the mailbox be provisioned. Once the Mailbox is created for the new user, proceed further.


Connect PowerShell to Exchange Online using below command:
  • $LiveCred = Get-Credential
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection
  • Import-PSSession $Session
Then checked the old (deleted) user in Soft Delete
  • Get-Mailbox –SoftDeletedMailbox  (check for the deleted user)
  • Get-mailbox –SoftDeletedMailbox –Identity “Name of the mailbox” | fl *guid*
  • Copy the GUID (not Exchange GUID) in a notepad (1)
  • Get-mailbox –Identity “Email address of the new user” | fl *guid*
  • Copy the GUID (2)
Following command will copy the old mailbox’s email to the new mailbox.
  • New-MailboxRestoreRequest -SourceMailbox "GUID (1)" -TargetMailbox "GUID (2)" -TargetRootFolder "Old Mailbox" –AllowLegacyDNMismatch


If user had Archive enabled we restored the archive mailbox separately.
Kindly ensure that you had enabled archive for the new mailbox.

We run the below commands to get the ArchiveGuid

Get-Mailbox -Identity user@domain.com -SoftDeletedMailbox |fl " ArchiveGuid"
Get-Mailbox -Identity user@domain.com |fl "ArchiveGuid"


  • New-MailboxRestoreRequest -SourceMailbox "GUID (1)" -TargetMailbox "GUID (2)" -TargetRootFolder "Old Mailbox" –AllowLegacyDNMismatch


**The TargetRootFolder parameter specifies the top-level folder in which to restore data. If you don't specify this parameter, the command restores folders to the top of the folder structure in the target mailbox or archive. Content is merged under existing folders, and new folders are created if they don't already exist in the target folder structure This is a Optional Parameter.


What does the TargetRootFolder parameter do?   As previously explained, you can use the TargetRootFolder parameter to specify a folder in the top of the folder structure (also called the root) in the target mailbox in which to restore the contents of the inactive mailbox. If you don't use this parameter, mailbox items from the inactive mailbox are merged into the corresponding default folders of the target mailbox, and custom folders are re-created in the root of the target mailbox. The following illustrations highlight these differences between not using and using the TargetRootFolder parameter.

Folder hierarchy in the target mailbox when the TargetRootFolder parameter isn't used

Folder hierarchy in the target mailbox when the TargetRootFolder parameter is used





Sunday, 25 December 2016

Advance Threat protection - Safe Attachment

While Showcasing the ATP features to a client in a POC i noticed the following.

ATP - Safe Attachment rule is set as Replace - Block bad attachment and continue to deliver the mail. However the Mail is not delivered it is deleted completely.



Solution 


Go to Exchange Admin Center > Protection > Malware Filter





By default the Malware Policy is set to delete the entire mail if something is found as malware in the mail or attachment.


Edit your Default policy.


1. Change the Default Setting to - Delete attachment and use default alert text or Custom Alert "depending on your requirement. In my case i had kept as default alert text.



2. You can also customize the Notification too. 
3. You can also set the settings so that it will notifies the sender and sender for the undelivered of the Mail.



4. A notification about the same can be sent to the Admins too, you can use default or costume alert type too. (This will send a intimation to the admin that a user"XXX" had been sent a Bad mail. 

Sample - notification mail to Admin.




After Making the changes i had sent a test mail and it was delivered with a notification. The Attachment was removed but the mail contents were as it is.

1. First did a message trace.





 2. Checked the recipient inbox. The mail was delivered without the attachment, instead there was a text file attached with the information that the attachment was removed as it was marked as Malware.




  










Thursday, 1 December 2016

How to block employee access to Office 365 data


"What do I do to protect data when an employee leaves the organization?" and "How do I block a former employees access to Office 365 after they leave?"
IMPORTANT: The steps in this article are for Office 365 Business Essentials, Office 365 Business Premium and Office 365 Enterprise.
A quick overview of the of the process looks like this:
  • Block employee access to Office 365 data.
  • (Optional) Get access to the data of the former employee.
  • (Optional) Send the former employee's email to another employee.
  • Delete the former employee's user account.
IMPORTANT: You need to be a member of the Office 365 global admin role to perform the steps in this topic. Make sure the user that performs these steps has the right permissions to complete these steps.
Block employee access to Office 365 data
The first thing you'll want to do is block the former employee from logging in and accessing Office 365 data. There are a few steps you'll want to take to make this happen.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Users > Active Users. Select the employee that you want to block, and then click EditEdit.
  4. Click the Settings tab, and under Set sign-in status, select Blocked, and then Save.
NOTE: If you block a user from having sign-in access to Office 365, it might take as long as 24 hours to take effect on all that user’s devices and clients. Also, make sure that you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
Stop access to Exchange Online
If you have Exchange Online as part of your Office 365 subscription, you need to log in to the Exchange admin center to follow these steps to block your former employee from accessing their email.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation pane, expand Admin and select Exchange.

  1. In the Exchange admin center, navigate to Recipients > Mailboxes.
  2. Select the user, and on the user properties page, under Mobile Devices, select or click Disable Exchange ActiveSync and Disable OWA for Devices, and Disable email connectivity.
  3. Under Email Connectivity, select Disable.
Wipe and block the former employee's mobile device
If your former employee had a company phone, you can use the Exchange Admin Center to wipe and block that device so that all company data is removed from the device and so that device can no longer connect to Office 365
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation pane, expand Admin and select Exchange.

  1. In the Exchange admin center, navigate to Recipients > Mailboxes.
  2. Select the user, and under Mobile Devices, choose View details.
  3. On the Mobile Device Details page, under Mobile devices, select the mobile device, select Wipe Data, and then select Block.
  4. Select Save.
Get access to the data of the former employee
The next thing you'll want to do is preserve the email and business documents or files created by the former employee, and make them available to your new employee or others in your organization. Learn more about individual document storage in What is OneDrive for Business.
To gain access to a former employee’s OneDrive for Business documents, you can sign in to Office 365 as that user (which can require first changing that user’s password), then move those files to an easily accessible location. Or, you can take over the former employee’s OneDrive for Business, and move the files yourself. The following steps explain this approach.
To gain access to a former employee's email, you'll want to export the user's Outlook email information to a .pst file and then import it into another employee's Outlook inbox.
Part 1 – Get access to the former employee’s OneDrive for Business documents
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. In the lower-left navigation, expand Admin, and select SharePoint.

  1. Choose user profiles.
  2. Choose Manage User Profiles.
  3. Search for the former employee’s name (use their alias or full name).
  4. Select the drop-down menu beside their name, and choose Manage site collection owners.

  1. In the Site Collection Administrators field, add your name, the administrator’s name (see the example below), or the future employee’s name (if known).

  1. Scroll down, and select OK.
Part 2 – Copy the former employee’s OneDrive for Business documents to a shared location
  1. With the former employee’s name selected under Manage User Profiles, select the drop-down menu again, and select Manage Personal Site.

NOTE: This is a shortcut to the OneDrive for Business site. Alternatively, you can enter: https://<company_name>-my.sharepoint.com/personal/<employee>_<company name>_onmicrosoft_com.
  1. Select Documents in the left navigation.

  1. You should see your former employee’s OneDrive for Business documents.

  1. From here, copy them to your own OneDrive for Business or a common location, like your team site.
There are a few ways to copy files in Office 365. See Video: Set up document storage and sharing in Office 365 orSync OneDrive for Business files locally, and then upload those files to your OneDrive for Business or your team site.
Part 3 - Get access to the Outlook information of the former employee
To save the email messages, calendar, tasks, and contacts of the former employee, export the information to an Outlook Data File (.pst).
  1. Click File > Open & Export > Import/Export.

  1. Click Export to a file, and then click Next.

  1. Click Outlook Data File (.pst), and then click Next.
  2. Select the account you want to export by clicking the name or email address, such as Mailbox – Anne Weileror anne@contoso.com. If you want to export everything in your account, including mail, calendar, contacts, tasks, and notes, make sure the Include subfolders check box is selected.
NOTE:  You can export one account at a time. If you want to export multiple accounts, after one account is exported, repeat these steps.

  1. Click Next.
  2. Click Browse to select where to save the Outlook Data File (.pst). Type a file name, and then click OK to continue.
NOTE:  If you’ve used export before, the previous folder location and file name appear. Type a different file name before clicking OK.
  1. If you are exporting to an existing Outlook Data File (.pst), under Options, specify what to do when exporting items that already exist in the file.
  2. Click Finish.
Outlook begins the export immediately unless a new Outlook Data File (.pst) is created or a password-protected file is used.
  1. If you’re creating an Outlook Data File (.pst), an optional password can help protect the file. When the Create Outlook Data File dialog box appears, type the password in the Password and Verify Password boxes, and then click OK. In the Outlook Data File Password dialog box, type the password, and then click OK.
  2. If you’re exporting to an existing Outlook Data File (.pst) that is password protected, in the Outlook Data File Password dialog box, type the password, and then click OK.
Part 4 - Give access of former employee's email to another user
To give access of the email messages, calendar, tasks, and contacts of the former employee to another employee, import the information to another employee's Outlook inbox.
  1. Click File > Open & Export > Import/Export.
This starts the Import and Export Wizard.
  1. Choose Import from another program or file, and then click Next.

  1. Choose Outlook Data File (.pst), and click Next.
  2. Browse to the .pst file you want to import.
  3. Under Options, choose how you want to deal with duplicates
  4. Click Next.
  5. If a password was assigned to the Outlook Data File (.pst), enter the password, and then click OK.
  6. Set the options for importing items. The default settings usually don’t need to be changed.
  7. Click Finish.
 
Send the former employee's new email to another employee
These steps are optional, but you can send any new email to the former employee's email address to another person by adding the former employee's email address to a secondary employee. By doing this, any new emails sent to the former employee's email address will be sent to the employee you specify.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Admin > Users > Active users.
  4. On the Active users page, select the check box next to the user, click Edit Edit, and then click the email addresses tab.
  5. On the Manage email addresses tab, in the text box under Add more email address, type the first part of the new email alias. If you added your own domain to Office 365, you can choose the domain for the new email alias by using the drop-down list.
  6. Next to the email alias you want to add, click Add.
  7. When you're done, click Save.
Remove license from employee
The next step, you'll want to take is to remove the Office 365 license from your former employee. When you remove the license, all that user's data is held for 30 days. After 30 days, all the user's data (except for documents stored on SharePoint Online) is deleted from Office 365 and can't be recovered. If you reassign a license to the user within 30 days, the user's mailbox and data will be saved. Once you remove the license from this user, their license becomes available for another user.
NOTE: All additional email addresses that go with this user are also deleted. If you need someone to receive emails, assign the email address to another user.
NOTE: The user's Lync Online Contacts list may also be deleted. If you restore the Exchange Online license within 30 days, the Contacts list will be restored as well. For more information, see Removing a user’s license for Exchange Online may also remove their Lync Online Contacts list.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Select Users > Active Users.
  4. Check the box for your former employee.
  5. Click Edit Edit

  1. Select Licenses.

  1. Under Assign licenses, clear the box for the former employee to remove the license.
  2. Click Save.
Delete the former employee's user account
After you've saved and accessed all the former employee's user data, you can delete the former employee's account.
  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Users > Active Users.
  4. Choose the names of the users that you want to delete, and then select DELETE Delete.
  5. In the confirmation box, select Yes.
When you delete a user, the user becomes inactive. However, for approximately 30 days after you have deleted the user, you can restore the user.
 
Reference –
 

Error - QuarantinedAttributeValueMustBeUnique

Case History. 1. Client already had users created in office 365 2. Client wanted to setup SSO for office 365 users Approach for r...